Please submit only technical tips that will help other TidBITS readers better use their Macs, iPhones, iPads, and related software and hardware. All product announcements should be sent to releases@tidbits.com.

Tip title*

Your tip*

URL

Enter the URL to a Web page that supports your tip.

Linked text

Enter the name of the page linked above.

Your name*

Your email*

* indicates required fields

To help us avoid automated posts and spam, please enter the words below.

When you submit a tip, you give us permission to use it. Read our terms for more details. All submissions are reviewed before publication.

Our terms: By submitting a tip, you agree to assign TidBITS Publishing Inc., a non-exclusive, worldwide, perpetual license to reproduce, publish, and distribute your tip in connection with the TidBITS Web site and associated products in any media. You agree that you created the content you submitted, and that you have the right to assign us this license. You give us permission to use your name, but your email address won't be publicly displayed or shared. We review all submissions before publication, and reserve the right to select which submissions we feel are appropriate for our readers and to edit those we publish.

Our terms: We reserve the right to edit or delete any comment, so please post thoughtfully. We use your email address only to send you a one-time verification message confirming that you posted this comment. We also store your address to allow you to verify using other Web browsers in the future. For more info, see our privacy policy.

TidBITS#1051/01-Nov-2010

We can finally take a bit of a breather from Apple announcements and focus on other topics. Jeff Carlson anchors this week’s issue with a review of the new Photoshop Elements 9, Rich Mogull shares the depressing news that the new Firesheep tool makes sidejacking trivially easy, and Michael E. Cohen looks at the new MobileMe Calendar and whether or not you should upgrade (also be sure to see Joe Kissell’s just-released “Take Control of MobileMe, Second Edition” for complete usage instructions!). Also this week, Matt Neuburg regrets his move to Outlook 2011 and explains how to switch back to Apple Mail, and Michael covers the new features in BBEdit 9.6. Plus, you can win a copy of Smile’s $99.95 PDFpenPro in this week’s DealBITS drawing! Notable software releases this week include iPhoto ’11 9.0.1 (which fixes the library import bug), Camino 2.0.5, Postbox 2.0.2, and Things 1.4.3.

An upgrade to the powerful and venerable editor from Bare Bones Software includes HTML5 syntax support, directory-specific settings, and access to Automator workflows on the Scripts menu, among a plethora of enhancements and fixes.Show full article

Need some entertainment? Lock about a dozen coders in a room and ask them to name the best text editor ever. When the hilarity finishes ensuing, chances are that at least several will have named BBEdit. For those coders, any news of a BBEdit update means a lot of virtual pushing as they all try to get to the Bare Bones Software servers all at once.

There must have been such a shoving match on 26 October 2010 as news of BBEdit 9.6 hit the Internet. After all, a major point release always brings with it new goodies as well as the expected bug fixes. And this release does have rich heaps of goodness. Well over a dozen new features, in fact, along with several dozen changes, and over 150 fixes listed in the BBEdit 9.6 release notes—and a bit of deprecation.

Web developers will be pleased to find a number of enhancements and additions, including the addition of HTML5 support—via a syntax table—for the Check Syntax, Tag Maker, and Edit Tag commands when an HTML5 document is being edited. Syntax coloring for CSS has also been improved, as has code completion for CSS properties, which now includes a colon and placeholder. And, speaking of code completion, BBEdit now recognizes the kind of HTML/XHTML document being edited and uses that doctype when generating tags and attributes.

Those developers who work on a number of different projects and who require different settings for each project can now specify settings based upon the directory in which the project resides: create a properly formatted INI file for BBEdit, give it any name that ends in .bbeditsettings, and save it. The settings in that file apply to any file opened from the directory in which the .bbeditsettings file resides—or to any files opened from directories beneath that directory in the file hierarchy.

BBEdit has provided Automator workflows for some time, but with version 9.6, Automator workflows can be placed in the ~/Library/Application Support/BBEdit/Scripts/ folder and they will appear on the Scripts menu and in the Scripts palette.

Numerous changes have also been made to improve performance with large files and to remove some legacy limitations and features. For example, to improve performance with very large files, the soft-wrap text preference is ignored when you open files larger than a megabyte. You can adjust the threshold for disabling the preference if you regularly edit very large files and want to spend the time waiting for the text to wrap.

Along those lines, the Find All Misspelled Words command now only checks the first million characters of a file; this limit can also be changed. Similarly, BBEdit disables word-counting when a document is over 16 million characters long, but you can override that behavior as well.

Among the legacy items removed are the PageMill, GoLive, and Claris HomePage code cleaners. Also gone is the Markup > Inline > Convert to Client Side Map command. BBXT plug-in support is now sleeping with the fishes, too, a change which eliminates the Plug-Ins window from the Palettes menu, and which removes the Tools menu from the menu bar.

Then there are some usability tweaks. For example, the HTML formatter options have been renamed: Gentle Hierarchical format is now known as Pretty Print, and the Hierarchical formatter option is now called Strict Hierarchical.

One fix that sounds trivial, but which makes life a lot easier, relates to file comparison: if you are comparing two files, and either or both of them change on disk, BBEdit 9.6 recomputes the differences automatically.

Of course, none of the changes will affect every BBEdit user, but every user will find some changes to appreciate, complain about (beware the PageMill Fan Club!), or merely to ponder. In the last category is this listed addition: “Iä! Iä! Birdies fhtagn!” (No, we don’t know what it means, either, but we’re sure it means something to someone. Possibly someone from the sunken city of R’lyeh.)

BBEdit 9.6 is a free update to all users with a BBEdit 9 serial number; owners of BBEdit 2.5 through 8.7.2 can upgrade for $30. The retail price is $125, with a $49 price for educational purchasers. A free 30-day trial is available.

Automatic turns almost any car into a connected car. By pairing
Automatic’s connected car adapter with iPhone apps on
Automatic’s platform, drivers are able to drive safer and smarter.
TidBITS readers get 20% off all orders at <http://automatic.com/tb>

Joe Kissell’s revised ebook about MobileMe explores the nooks and crannies of Apple’s cloud-based service, guides you through the latest MobileMe changes, and explains what they mean to you.Show full article

If you’ve had a Mac long enough, you’ve seen Apple’s cloud-based service go through many changes, from its humble beginnings as iTools in early 2000, through its 2002 transition to .Mac, and to its present incarnation as the far more capable MobileMe. Through all those changes, keeping track of what the service did, and how you could best use it, required constant attention to various Apple announcements and tech support postings, and to press descriptions and analyses of Apple’s play in the software-as-a-service arena.

Now, thanks to Joe Kissell and his newly revised “Take Control of MobileMe, Second Edition,” you can find out exactly what MobileMe offers, what it’s good for, and how you can best take advantage of its various features, all from within the virtual pages of a single $10 ebook.

Joe has been running the Red Queen’s race in his attempt to finish the book: each time he thought his book was ready for release, Apple would move the finish line by announcing a new feature or a major service change. Most recently, for example, Apple changed the way MobileMe calendars worked (see “The New MobileMe Calendar: Should You Upgrade?,” 20 October 2010) and updated the MobileMe-savvy iLife application suite (see “iLife ’11 Updates Three of Its Apps,” 20 October 2010). By burning gallons of midnight oil, Joe has succeeded in rolling information about all the latest changes into this new edition.

Among the many questions to which Joe supplies the answers are the following:

What are MobileMe’s primary features?

How do I set up MobileMe syncing on my iPhone, iPad, or iPod touch?

How quickly should I expect MobileMe to sync my data?

Which types of data sync only between Macs and which can sync across platforms?

How do I configure my email software to use MobileMe?

How do I access my iDisk from Windows?

How do I add movies and photos to my Web Gallery?

Where in my MobileMe account does my iWeb-created site go?

What should I do to host a non-iWeb site in my MobileMe account?

How can I configure my AirPort Extreme to work with Back to My Mac?

Although much of what MobileMe does is available in other ways, the convenience of MobileMe and its integration with both the Mac and Apple’s iOS devices make the $99/year service from Apple a compelling option. (Heck, all of MobileMe is cheaper than carrier services that provide features similar to Find My iPhone.) And now, with Joe’s “Take Control of MobileMe, Second Edition” guidebook, you can ensure that you’re getting your money’s worth.

Smile’s PDFpen is a great tool for editing and tweaking PDFs. But its big brother, PDFpenPro, goes even further, enabling you to create PDFs from a Web site and make PDF forms. Enter to win a copy—along with our “Take Control of PDFpen 5” ebook—in this week’s DealBITS drawing!Show full article

We’ve written about Smile’s PDFpen software on a number of occasions, since it’s great for editing and marking up PDFs in a wide variety of ways. You can correct text, redact text, tweak graphics, add your signature to a PDF contract, merge PDFs, move pages around, make comments in the PDF, and loads more. For most people, PDFpen is all you need. But PDFpen’s big brother, PDFpenPro, offers three additional features:

You can create a multi-page PDF from a Web site, with PDFpenPro converting each linked page as necessary as many levels deep as you need. This could be useful for taking a snapshot of a site, or putting it in a format where you can mark it up or make comments.

You can create PDF-based interactive forms with text fields, checkboxes, and radio buttons—the data can be returned via email or the Web.

You can create and edit the table of contents (also known as bookmarks—the links that appear in the sidebar in Preview) for a PDF. A table of contents makes a PDF much more navigable.

So if you want to win one of three copies of PDFpenPro 5, worth $99.95, enter at the DealBITS page. And we’ll sweeten the deal even further, by including as part of the prize a copy of Michael E. Cohen’s ebook, “Take Control of PDFpen 5,” which tells you everything you need to know about how to use PDFpenPro.

All information gathered is covered by our comprehensive privacy policy. Remember too, that if someone you refer to this drawing wins, you’ll receive the same prize as a reward for spreading the word.

Automatic turns almost any car into a connected car. By pairing
Automatic’s connected car adapter with iPhone apps on
Automatic’s platform, drivers are able to drive safer and smarter.
TidBITS readers get 20% off all orders at <http://automatic.com/tb>

Oh, the sacrifices I make for our TidBITS readership. If I’d known what I was getting myself into, I would never have adopted Microsoft Outlook, from Office 2011, in order to review it (see “The Outlook for Microsoft Outlook,” 8 October 2010). Things got worse and worse as I continued to try to use the program. In addition to there being no formatting of quoting levels (Paste As Quotation, Increase Quote Level) there turned out to be no Resend command (so I couldn’t take an existing reply and send it again, to someone else or to the same person with the original reply quoted). For these and many other reasons, some of them appearing in the review, Outlook was turning out to be a
horror. For the way I use mail, it was simply untenable.

So I decided to bite the bullet and migrate myself yet again into some other mail application. That’s when I discovered that Outlook 2011 lacks something else I require from any mail program—a way of exporting my mailboxes. You can save all your mail as a single .olm file, but no other application can read it, and in any case my attempt to do that failed (Outlook broke down in the middle of the operation). You can drag individual messages to the Finder, but this results in individual .eml files, which most other mail programs can’t import. What I needed was a way to export to “mbox” files, a more-or-less universal standard representing a mailbox and all its messages.

After some hours of banging around fruitlessly, I discovered that I already had the perfect mbox creation tool at hand. Not only that, but this was a tool that could reach right into Outlook 2011, grab all my selected messages, and assemble them into mbox files that Mail can import. That tool is EagleFiler, which I reviewed several months ago in “EagleFiler Turns a Finder Folder Into a Snippet Keeper” (24 February 2010).

As I said in my review, I was already using EagleFiler to slough off unneeded mail folders from Entourage. Using a mail client as a database over the long term has always seemed to me a confusion of categories in any case; certainly there needs to be fast searching of a small set of current or frequently needed messages from within the mail client, but in general it’s perfectly fine for me to archive most of my saved backlog to an application that really knows how to search the heck out of mail messages, and that’s exactly what EagleFiler knows how to do.

But would EagleFiler know how to talk to Outlook 2011? It turned out that developer Michael Tsai was right on top of things. He’s working on a beta version (1.5) that boasts a number of improvements, including better feedback in the main window when EagleFiler is busy indexing, more sprightly navigation and rearrangement of folders, indexing of email attachments, and much more. Most important, this version has the power to import from Outlook.

So, with the new version of EagleFiler in hand, I selected all my messages in Outlook and told EagleFiler to import them by pressing the F1 key, right there in Outlook. In less time than it took to make myself a fresh cup of cappuccino with my handy-dandy Pavoni Napolitana, EagleFiler had grabbed all my mail messages and assembled them into mbox files, each file having the name of the Outlook mailbox or mail “folder” from which its messages came. (The files do not have a literal .mbox file extension, but they are mbox files nonetheless.)

I tested a few of the resulting files by having Mail import them, and it worked perfectly. This, in case you’ve never tried it, is a two-step process. In Mail, you choose File > Import Mailboxes. This brings up a dialog where you specify the mailbox source type; in this instance, I selected the last option, “Files in mbox format.” This in turn summons an Open dialog in which I could select the mbox files created by EagleFiler and import them. Mail creates an Import folder and puts the imported messages into mailboxes within it, named after the mbox files on which they are based; you can move these mailboxes elsewhere in Mail’s On My Mac collection, but for now I’m just leaving them where they are.

I also took this opportunity to prune my email, by which I mean that I imported only a few mailboxes into Mail; the rest I simply left in the highly competent care of EagleFiler. If I discover later that I need the contents of a further mailbox accessible from within Mail, I can always import it then.

And that’s the end of the story. I have now migrated myself completely out of Microsoft Outlook and into Apple Mail. I’m not crazy about Mail as a long-term solution, but it has all the basic features I need, it’s sufficiently scriptable with AppleScript for my workflow purposes, and—most important—if I later decide to migrate out of it, I know that EagleFiler will be there to help me.

Make friends and influence people by sponsoring TidBITS!Put your company and products in front of tens of thousands ofsavvy, committed Apple users who actually buy stuff.More information: <http://tidbits.com/advertising.html>

On 14 October 2010, Apple took the beta label off of its new CalDAV-based MobileMe calendar and made it available as an optional upgrade to all MobileMe users. The new calendar boasts a number of new features and conveniences, but, as many users are discovering, the upgrade process is not transparent, and, in some cases, can be downright opaque. Luckily, switching to the new MobileMe calendar is entirely optional, and if you don’t want to do it, just don’t click that Get Started button in the MobileMe Calendar Web interface, or the Upgrade Now link that appears in the sidebar.

First, the Features -- The new Web-based MobileMe calendar app looks a lot like the layout of the Calendar app on the iPad with an added (but easily hidden) iCal-style sidebar tacked on to its left side. The calendar can present day, week, month, and list views, and can be navigated by a control-strip widget at the bottom—again much like the iPad calendar app.

Adding an event to the calendar is simple: just double-click the calendar display pane, much as you would in iCal, to place an event and edit it. The event belongs to the calendar currently selected in the sidebar, but you can easily change the calendar to which the event belongs.

You can invite people to events you create: MobileMe sends an HTML-formatted email message with Accept, Decline, and Maybe buttons. When a recipient responds to an invitation, MobileMe shows you a notification with the recipient’s response.

In the sidebar, you can choose which of your calendars to display in the main viewing pane. You can also click a broadcast button beside each calendar to share it, either privately or publicly. Public calendars can be viewed by anybody: the Web app provides a (long and complicated) URL that anyone with a CalDAV-compatible program can use to subscribe to the shared calendar. When you share a calendar publicly, MobileMe offers to send the calendar URL to a list of email addresses that you provide. Publicly shared calendars are view-only.

Privately shared calendars can be either view-only or editable by the people with whom you share them. Unlike public calendars, private calendars can be viewed and edited only by other MobileMe members. When you share a calendar either privately or publicly, MobileMe uses your MobileMe contacts to help you address the calendar invitations.

The MobileMe calendar can cache information locally on your computer to improve performance. If you have a complex set of calendars and events, this feature can make using the MobileMe calendar far more fluid, but note that this feature is also a security issue: the local calendar cache is not encrypted, so you should avoid the caching feature on any computer that is not your own.

You can also delete calendars from the MobileMe calendar sidebar, but be warned: deleting a calendar on MobileMe also deletes it in iCal and on every device that you sync with MobileMe.

Then, the Issues -- Because the new MobileMe calendar service uses the CalDAV standard for shared calendars rather than Mac OS X’s Sync Services, switching to the new format can raise a number of issues:

If you are using other applications on your Mac to sync with iCal using Sync Services (such as Entourage or BusyCal), upgrading to the new MobileMe calendar will break things, potentially badly. In some cases, such as with BusyCal, there may be new versions of the software that work with CalDAV calendars. For others, you may simply lose the capability to modify the MobileMe calendars and they’ll be read-only, or calendar syncing won’t work in that application at all.

If you have never synced iCal with MobileMe before (or if you joined MobileMe after 30 September 2010), you have go through a cumbersome process that involves backing up your calendars, setting up MobileMe syncing, creating new iCal calendars, importing the data from the backed-up calendars into them, and then deleting the old calendars. The Apple support note, “MobileMe: Setting up iCal for the new MobileMe Calendar,” explains these steps in detail.

If you have an iPad, you need to set up your calendars using a CalDAV account rather than using your MobileMe account (yes, even though MobileMe calendars strongly resemble the iPad Calendar app, your iPad won’t talk to MobileMe calendars via MobileMe… yet). The Apple support note, “Set up MobileMe Calendar on your iPad,” describes the process of creating the appropriate CalDAV account on your iPad. Until iOS 4.2 is released for iPad, however, your iPad won’t receive push updates from MobileMe. Apple is currently silent about how to sync other non-iOS 4-capable devices (such as an original iPhone) with the new MobileMe calendars—unfortunately,
the new calendars don’t appear in iTunes if you try to sync older devices that way.

Apple has published an extensive support note, “MobileMe: New Calendar known issues,” that outlines many other known problems. I strongly encourage you to read through it before upgrading, since it’s entirely possible you rely on one of the features that even Apple is willing to admit doesn’t work.

All that said, if you happen to be one of the lucky ones who either used the MobileMe calendar beta or were already syncing calendars with MobileMe from iCal, you can upgrade to the new MobileMe with (probably) no problems. The Apple support note, “MobileMe: Setting up the new MobileMe Calendar” provides a number of useful links to help you navigate through the calendrical madness.

Is It Worth the Bother? -- The new features and improved performance of the revamped MobileMe calendar Web app are not trivial, and, if you can get over the initial hurdles, you may like them a lot. I do. (For more help with the new features, see Joe Kissell’s just-released “Take Control of MobileMe, Second Edition.”

But if you have any software that doesn’t do CalDAV, or if you have workflows that depend on the older calendar configurations in iCal and on MobileMe, or if you are running a version of Mac OS X prior to 10.6.4, you may want to sit this one out for a while. Although Apple encourages you to update, you don’t have to: the older MobileMe calendar format still works. Just don’t push that Upgrade Now link.

A new Firefox plug-in allows anyone to hijack webmail, social networking, and other accounts accessed from the same network. Here’s why it’s a problem, how to protect yourself, and why our service providers need to fix this immediately.Show full article

Sometimes in the security world there are problems we know about for a long time that are mostly ignored until someone finally kicks us in the face with a dramatic demonstration. On 24 October 2010, freelance developer Eric Butler virtually body slammed a large percentage of the Internet with the release of Firesheep, a Firefox plug-in that enables anyone on the same local network to sidejack certain webmail, social networking, shopping, and other sessions without any technical skills; it does not work past a local router. Users on the same network connecting to sites such as Twitter, Yahoo Mail, Hotmail, and Facebook are all potentially vulnerable to Firesheep. (For more details, see our
original coverage of the problem in “Sidejack Attack Jimmies Open Gmail, Other Services,” 27 August 2007.)

How Firesheep Works -- Firesheep is based on a simple premise. The plug-in constantly sniffs the local network for Web page requests from a browser to a site that Firesheep knows about. When a request is made, Firesheep extracts a browser cookie from the Web request, and offers its user the chance to hop onto the session at the vulnerable side as if he or she were the hijacked party.

This attack is known as HTTP session hijacking or sidejacking. You don’t need to steal a user’s username and password, just the special bits of information that keep his or her session active with the site they are visiting. This includes a unique token sent by the Web server to a browser; for some sites, a few other details are captured, too.

One of the problems when building a Web application is keeping track of users logged into your site. Unlike pre-Web network applications, the network protocol the Web uses—HTTP—is stateless. That means the protocol itself doesn’t include any way to maintain a persistent idea of who is retrieving pages from one request to the next, unlike many other protocols.

With HTTP, your Web browser merely sends a series of requests for pieces of data to one or more Web servers specified in an HTML page, but these are all independent actions. Your browser builds all the returned data into the Web page. (Web browsers and servers can use HTTP authentication to maintain a session, but it has an awkward interface—a pop-up dialog—and security model problems. Some private sites may use this kind of login instead of a Web-page login.)

This is in contrast to communications protocols like FTP or SSH, which build a connection when you log in. That connection is unique to the login and is maintained until it’s manually disconnected or times out from lack of use. It’s like making a phone call.

To solve this problem the masters of the Internet—that would be Netscape back in the 1990s—created the infamous cookie. A cookie is merely a bit of text that’s stored in your browser’s memory or as a persistent file on your hard drive. Barring a security failure (of which we’ve seen many), one site can never peek at the cookies set by another site. Thus a site can set your user and/or session ID as a cookie, and then use that to track you as you browse around. Other cookies keep track of things like your personal settings and preferences.

The problem is that if someone else obtains a copy of that cookie, unless the server implements additional security measures, it’s trivial for the attacker to impersonate you to the server. And those security measures are very hard to implement if you set cookies that work across multiple sessions (as is done very time you check the “keep me logged in” button on a site).

To ferret out these cookies, Firesheep merely sniffs the network to which the machine it’s running is connected. It then presents them in a nice user interface and enables the person running Firesheep to sidejack any interesting sessions. (I use the term “sidejack” since the users themselves are still logged into the site; Firesheep hasn’t “hijacked” and taken their connections away.) Firesheep is not the first tool to do this—Hamster and Ferret by Errata Security have been around for 3 years to perform the same attack—but Firesheep is elegant and insanely easy to use. It includes profiles of 26 sites that can be sidejacked.

Keep in mind, sidejacking works any time you are on the same network as the attacker, unless that network implements security to isolate traffic from sniffing. You most often see this on open hotspot networks that use Wi-Fi, or over Ethernet in places like hotels. You may even have seen this yourself when you launch iTunes in some location and see other user’s shared libraries.

Why Firesheep Works on Only Some Sites -- You might be saying to yourself, “But I know my user and password are encrypted when I log into Facebook/Twitter/whatever, so how can someone still sidejack my session?” Most major sites encrypt your login using something called SSL/TLS, commonly (though erroneously) shortened to just SSL. SSL encrypts a browser’s communications with a server, protecting you from someone sniffing on the local network.

SSL is exactly how to prevent an attack like sidejacking; the problem is that while sites may encrypt your username and password, they then drop the rest of your session back to an unencrypted state. Your password is protected, but your browser sends the cookie to the site with every single request, and thus it’s completely exposed to the attacker. You may be protected from someone harvesting your credentials to log in as you from their home later, but until that cookie changes and you are on another network they have full access to your account. They can even change your password and lock you out of your own account.

The only way a site can protect against sidejacking is to encrypt the entire session, including all the cookie exchanges. Google’s Gmail and Apple’s MobileMe are examples of services that do exactly that—you can never establish an unencrypted connection with their servers.

The owner of the site also needs to set a special cookie so an attacker can’t trick your browser into sending it in an unencrypted session. These cookies will be sent to the server only over an encrypted connection, and the feature is built into all major Web browsers. Even if a site uses SSL, the moment you attempt to connect to a non-SSL version of the site (which happens if you type the address in with http instead of https at the start, or if someone sends you a link without https), your browser sends your cookie unless it uses that special protection.

In other words, this is a problem you can’t fix yourself, and which must be resolved by the people developing the sites you visit.

Why Don’t All Sites Use SSL? -- If the fix is so easy (full-session SSL and protected cookies) you would think every site, especially major webmail, retail, and social networking providers, would implement the feature. The problem is that many of these companies fear the extra cost of full-session SSL, since it requires extra processing power to handle all the encryption (SSL is already an option on every Web server). The bigger the site, the greater their fear of additional costs.

But Google, whom I often criticize for their privacy foibles, recently implemented full-session SSL for all their Gmail connections (see “Google’s Gmail Defaults to Encrypted Sessions,” 13 January 2010). And in a blog post, Adam Langley of Google stated, “we had to deploy no additional machines and no special hardware.” Thus these fears seem to be unfounded, and there’s no longer any real excuse for leaving users so unprotected.

To be honest, as simple as sidejacking is, it hasn’t been the sort of thing most people had to worry about unless they spent time at security and hacker conferences like Defcon. Previous tools took significant technical knowledge to utilize and weren’t well known outside of security circles. But now that Firesheep is a simple Firefox add-on, your grandmother could easily take over your Facebook account when you connect your laptop to her Wi-Fi network during those boring family visits.

How to Protect Yourself -- The reality is there is only so much you can do to protect yourself until the sites you visit build in the proper security measures. If you have the option, you can send all your traffic over an encrypted VPN (virtual private network), although you are still vulnerable to sidejacking where your VPN connects (for example, at your work network). If you do use a VPN, keep a careful eye on your connection status, especially on iOS devices that frequently drop VPN connections and leave your traffic unprotected.

There are two Firefox plug-ins that force your browser to use SSL sessions for sites that support them. HTTPS-Everywhere works with a preset list of sites built into the plug-in, while Force-TLS lets you specify your own site list. Both of these are mentioned in an updated post by Firesheep’s creator.

Finally, you can avoid using public Wi-Fi networks. This isn’t an option for many people, but for years now I’ve avoided them by using 3G wireless for my mobile access (either a 3G card, portable router, or by turning off Wi-Fi on my iPhone). That limits my risk to Verizon or AT&T sidejacking me, which I consider pretty darn low.

As with many security issues hyped in the headlines, Firesheep isn’t the sort of thing that should keep you up at night, but if you frequently use public networks (wired or wireless), you might try to stick to sites that use full-session SSL as much as possible, or take the other precautions noted above.

When you think of editing photos, you probably think of Photoshop, Adobe’s professional image editing behemoth. But the new Photoshop Elements 9 offers most of the features that are important to digital photographers, for just $99. Jeff Carlson reviews Photoshop Elements and highlights what’s new in version 9.Show full article

Photoshop is one of those rare products whose name recognition has transcended its source. Many people who may otherwise have no familiarity with computers beyond the basics of Web browsing and email understand that to manipulate digital photos, they need “Photoshop,” without realizing what they probably have in mind is the professional Photoshop CS5.

The software has even become a verb in the popular consciousness. It’s not difficult to find examples of news articles about images being poorly “Photoshopped” for advertising or even political gain. (And if you haven’t seen Photoshop Disasters, you really must check it out.)

So when an average person goes looking for Photoshop—either as a starting point or in search of a tool more advanced than iPhoto—you can imagine their shock at the $699 starting price of Photoshop CS5. Adobe learned long ago that making a consumer version of its flagship image editor satisfied a need in the market, but early versions were primarily stripped-down versions that shipped with scanners. Now, Photoshop Elements is packed with features, and in the new version 9, the software gains a few key capabilities of Photoshop CS5, but at the much more reasonable price of $99.

Photoshop Elements Basics -- In truth, when people think of needing Photoshop for their digital photos, they’re typically thinking of the basic color-correction tools offered by iPhoto—lightening underexposed images, cropping, adjusting color balance, and the like. And, of course, iPhoto makes it easy to apply such edits. But iPhoto’s correction tools are broad, affecting the entire image. Photoshop Elements offers additional layers (literally) of granularity for more specific edits.

One of the strengths of Photoshop Elements is that it caters to multiple skill levels. Using the Quick Edit environment, for example, you can adjust an image’s lighting, color saturation, and other attributes using familiar sliders. Click the expansion triangle to the right of a slider to display Quick Fix previews, then click a thumbnail image for the amount of the adjustment to apply. (Here’s a tip: Click and drag on a thumbnail to fine-tune the amount.)

But what if you don’t want to apply an adjustment to the entire image? The selection tools in the Full Edit mode are first-rate. Grab the Quick Selection tool to select a specific area of the image. In the image below, I’ve “painted” around the figures and selected the sky; I want to brighten the sky, but keep the figures in silhouette. I didn’t need to be very precise with the Quick Selection tool, because it detects edges and snaps to them as I draw close.

I could easily apply a lighting adjustment here (by going to the Enhance > Adjust Lighting menu), but that would change the values of the image’s pixels. As much as possible, I want to retain the original color values in case I change my mind later. Instead, I create a new adjustment layer: from the bottom of the Layers panel to the right of the image, I click the Create Adjustment Layer button and choose Levels. The adjustment layer sits above the image’s layer (the Background layer) and changes the appearance of the
image without actually changing the pixel values themselves.

Because I made a selection before creating the adjustment layer, any changes I make affect only the selected area—in this case, the sky. I can then play with the sliders in the Adjustments panel to get the result I want. If I decide later that the sky is too bright, I can select the adjustment layer and change the sliders again. Better yet, if I want to go in a completely different direction with the photo, I can just delete the adjustment layer and start over—again, without disrupting the original pixels.

This sounds like advanced Photoshop work, and in a way it is, but it’s also very accessible (and, importantly, non-destructive). Photoshop Elements’ tools make it easy to get your head around what’s being done to your image.

Adjustment layers aren’t new in Photoshop Elements 9, but they do point to a welcome new feature. At last, the program supports real layer masks. You can make a selection and create a mask, hiding everything that is not selected. Layer masks are good for making adjustments, but also extremely useful when compositing elements of several images together, like a collage.

Content Aware Healing -- One of the best new features in Photoshop Elements is almost undetectable if you don’t look closely. The Spot Healing Brush has been a great tool for making repairs like removing blemishes or dust spots. Now, the tool uses Adobe’s Content Aware technology, which was introduced in Photoshop CS5 earlier this year. If you’ve ever done any image repair or touchup work, Content Aware really seems like magic. It’s smarter about analyzing an area to repair and filling it with similar pixels, making it a much faster alternative to the traditional way to make such edits, the Clone Stamp tool.

For example, in the image below, I want to remove a power line that bisects Seattle’s Space Needle. Unfortunately, the line cuts through an area that includes a lot of detail.

To remove the line, I drag across it once using the Spot Healing Brush. The same edit would have taken more time using the Clone Stamp tool in the past.

The implementation of the Spot Healing Brush in Photoshop Elements is limited compared to Photoshop CS5, as you might expect in a consumer-level program. For example, in Photoshop CS5 you can make a selection and hit the Delete key, and the program will replace the area with sensible imagery. In Photoshop Elements, however, you can still get much of the same effect with a little elbow (or wrist) grease: paint over a large area with the Spot Healing Brush and see what happens.

The technology is also used by the Photomerge Panorama feature. After stitching together a panorama, there’s always some dead space left around the edges, which is normally just cropped out.

But now you’re asked if you want to fill that space using the content-aware feature. The results can be mixed, depending on the source material; it’s great for skies, but can muddle areas with identifiable objects, such as the ground in the version below.

Photomerging -- One of the things I love about Photoshop Elements is that Adobe has put effort into helping photographers overcome common problems. Yes, the tools are there to compensate for dark photos or spot-fix aberrations, but it often takes some know-how to do it. The Photomerge features tackle specific problem situations.

To give one example, the Photomerge Scene Cleaner—introduced in Photoshop Elements 8 on the Mac—lets you remove unwanted elements from a scene by sourcing multiple similar shots. (This is a good example of why shooting in burst mode, where you can fire off three or more pictures in rapid succession, can be helpful.) The feature was originally billed as the Tourist Remover for its capability to erase bystanders who had unwittingly wandered into a shot.

In the example below, I’ve opened three shots into the Photomerge Scene Cleaner editor, and specified the best of the lot as the Final image at right. I don’t want the little girl in orange pants to appear, so I set as Source (at left) a shot where the girl was no longer occupying the same space.

To erase her from the image, I draw a line through her on the right; Photoshop Elements pulls the corresponding pixels from the Source image. This action accomplishes the same effect as the Spot Healing Brush I mentioned earlier, but in this case the program is replacing original corresponding pixels rather than synthesizing an area algorithmically.

A new Photomerge module in Photoshop Elements 9 is Style Match, which is designed to apply the photographic style of one image to another. In theory, it will let you approximate the look of, say, an Ansel Adams photo to one of your own. Adobe provides a handful of stylized source images, but you can also use
your own photos or any other image.

In practice, I find the results to be heavy-handed, consistently blowing out highlights and requiring that I pull back on the Style Intensity slider. Just as bringing a camera and tripod to Yosemite won’t necessarily result in images that look as good as Ansel Adams photos, the Photomerge Style Match won’t magically make your photos look like a master’s. However, in either situation you’ll have fun getting the picture.

The Organizer -- I’ve saved the biggest change for last, because it’s something that is likely to be embraced or just ignored by Mac users. Photoshop Elements 9 now includes the Organizer (officially the Adobe Elements 9 Organizer), a separate application for managing one’s library of photos and videos. The Organizer has been a staple of Photoshop Elements under Windows for several versions, and on the Mac it replaces Adobe Bridge.

Like iPhoto, the Organizer imports and manages digital photos and videos, lets you organize media into albums, and lets you rate items on a scale of one to five stars. I particularly like the full-screen mode for sorting, rating, and tagging photos quickly.

(However, the Photo Downloader—a separate utility—crashes when connecting to an iPhone 4 or iPhone 3GS, the models I was able to test; Adobe is looking into the problem.)

The Organizer also includes quick-fix options for making basic adjustments to photos without opening them in the Photoshop Elements application, and options for sharing images to Flickr, Facebook, SmugMug, email, and more.

And it makes extensive use of keyword tags, which are alternately helpful and irritating. An option to analyze media automatically as it’s imported into the library applies smart tags that make it easy to weed out clips that are blurry, overexposed, or otherwise faulty. The feature is on by default, though I turned it off because it slows down the computer while processing. (You can activate the Auto-Analyzer manually whenever you want.) The analysis also looks for people’s faces in photos, so you can identify and group them on a per-person basis.

Keyword tags in general, however, are cumbersome. The tags appear in the Keyword Tags panel in a list, with corresponding icons, grouped hierarchically under categories such as Places and Events. You end up dragging, scrolling, and expanding categories to manage what really should just be text elements. Keyword tags have a peculiar engineer feel to them. The structure and process makes sense—and you can almost envision the flowchart that explains it all—but it doesn’t reflect how people would want to use tags. To see tags done correctly, look to Adobe’s Photoshop Lightroom or Apple’s Aperture, where you type tags, separated by commas, and they appear in a list.

One feature I use in every photo program that offers it is support for smart albums. For example, instead of creating a new album and dragging favorite photos from a recent vacation into it, I create a smart album that automatically locates all items ranked three stars or higher within the vacation’s date range. As I add new photos or change rankings, the smart album’s contents change dynamically.

The problem is, you can’t easily edit a smart album in the Organizer. You can change its settings after the album is created (in the options bar, click the Options button and then choose Modify Search Criteria), but that doesn’t actually edit the smart album. You must save the new criteria as a new smart album. This behavior has prevailed for several versions of the Organizer under Windows; perhaps people never edit (or use) smart albums, but it amazes me that the feature is as clunky as it is, and has been that way for so long.

A couple of features of the Organizer didn’t transfer from Windows to Mac: there’s no Map feature for assigning geolocation information, nor is there the capability to create a photo slideshow.

If you don’t want to use the Organizer to manage your library, you can still use Adobe Bridge (if you installed it with a previous version of Photoshop Elements, or as part of the Adobe Creative Suite) or iPhoto. In Bridge, right-click or Control-click a photo and choose Photoshop Elements from the Open With submenu that appears. In iPhoto, go to preferences, click the General icon, and from the Edit Photo pop-up menu choose In application; then select Photoshop Elements in the dialog that appears.

Photoshop.com Integration -- Photoshop Elements 9 now includes support for Adobe’s Photoshop.com service, enabling you to publish photos to that service, edit them online, and sync them back to your library in the Organizer. As someone who’s had a Flickr account for many years, what interests me most is being able to back up photos off-site.

Included with the purchase of Photoshop Elements is 2 GB of online storage at Photoshop.com, which won’t cover one’s entire photo library (not even close), but does give you an opportunity to have off-site backups of your top-rated photos, for instance.

Cost and Availability -- Photoshop Elements 9 costs $99, or $79 with a mail-in rebate. The program is also available in a bundle with Premiere Elements 9 for $149.99 (or $119.99 after mail-in rebate).

(If you’re interested in editing video using Premiere Elements 9, which makes its debut on the Mac, see my review for Macworld.)

As you can tell, I’m a big fan of Photoshop Elements—not just because it offers professional photo editing capabilities at a reasonable price, but because Adobe has done a good job of figuring out how it can best help photographers who don’t push pixels for a living. I’ve just finished updating my “Photoshop Elements 9: Visual QuickStart Guide” for Peachpit Press (both Mac OS X and Windows editions), and after using the program for the past few months, I recommend it highly, even given some of the quirks I noted in the easily avoided Organizer.

Bushel is a simple tool that allows you to manage Apple devices.
Use device inventory, app distribution, security settings, and
more on many devices at once, using an intuitive Web portal.
Manage 3 devices for free, forever. Try it! <http://www.bushel.com/>

iPhoto ’11 9.0.1 -- After cries of woe from users for whom the iPhoto ’11 upgrade process erased all their photos, Apple has now released iPhoto ’11 9.0.1 (that’s right, iPhoto ’11 is in the 9.x version number range—that’s what happens when Apple relies on years for product names). iPhoto 9.0.1 “addresses issues that, in extremely rare cases, could result in data loss when upgrading a library from an earlier version of iPhoto.” Since it’s important to upgrade to iPhoto 9.0.1 before upgrading, first install iLife ’11 and then, before you launch iPhoto ’11 for the first time, open Software Update and
download the iPhoto 9.0.1 update. Once that’s installed, you can launch iPhoto and allow it to upgrade your library. Apple has a support note about the process that recommends that you make a backup first (always a good idea) and that you allow the upgrade process to complete even if it’s moving very slowly. All that said, continue to hold off on installing iPhoto ’11 if you need to create a calendar for the holiday season, since Apple still hasn’t confirmed when that functionality will return. ($49 new with iLife ’11, free update, 33.87 MB)

Camino 2.0.5 -- The open-source Web browser Camino has been bumped to version 2.0.5 in what The Camino Project terms “a stability and security update.” Beyond improvements in both those areas, the update adds compatibility with Google Calendar’s print function, upgrades the bundled Java Embedding Plugin to version 0.9.7.4, and improves ad-blocking. Also fixed is an issue that affected users of Mac OS X’s Spaces feature where plug-ins wouldn’t properly recognize which modifier keys were pressed. Support for Bloglines—which is shuttering in the next two weeks—was removed as well. (Free, 15.8 MB)

Postbox 2.0.2 -- Postbox 2.0.2 includes a variety of fixes to the Thunderbird-based email software. The new version corrects an issue with importing messages from Apple Mail that could cause message bodies to display incorrectly. It also adds or improves support for several third-party tools, including the QuickText Add-on, the keyboard launcher Alfred, and OmniFocus. Also included in this update is a fix for an issue with the Subscribe menu option being enabled when it shouldn’t be, and another for an issue with the Quick Reply feature. ($39.95, free update, 12 MB)

Things 1.4.3 -- Cultured Code has updated its task management software Things to version 1.4.3. New in this incremental release is a Quick Entry preference that lets you choose either Inbox or Today as the default destination for newly entered tasks. Other varied improvements are included, too: tasks now show their creation and last modified dates, Projects and Areas can be sorted alphabetically, font-size changes now also affect the Tags window, and handling of non-ASCII characters in email subjects works better.

The Things update also packs in a few fixes, addressing an issue with using Quick Entry in combination with Mac OS X Spaces, a problem where they keyboard shortcut for emptying the Trash would erroneously also delete the currently selected task, and various Logbook issues. ($49.95 new, free update, 8 MB)

READERS LIKE YOU! Support TidBITS by becoming a member today!Check out the perks at <http://tidbits.com/member_benefits.html>Special thanks to Geoff Servais, Dan Hinckley, Chaim Kram, and Cathy
Scrivnor for their generous support!

Two quick links for you this week: one to news of Amazon’s plans to add lending of Kindle titles and another to Jeff Carlson’s iMovie review at Macworld.

Amazon to Debut Kindle Lending and Periodicals in Apps -- Amazon.com has announced that Kindle newspapers and magazines will be available within Kindle apps in the coming weeks, and more interestingly, that lending of Kindle titles will appear later this year, following in Barnes & Noble’s footsteps with the Nook. Each book can be lent once to another Kindle device for 14 days, and you cannot read the book while it’s lent out. Publishers will determine which books are lendable. Will Apple do something similar with the
iBookstore? Seems unlikely at the moment.

Jeff Carlson Reviews iMovie ’11 for Macworld -- iMovie ’11 is a substantial update to the video editor included in iLife ’11, but is it worth the upgrade? Jeff Carlson digs into the details of the new version, uncovering features not mentioned during Apple’s “Back to the Mac” event or on the Web site, explains why it’s worthy of 4.5 mice, and points out ongoing shortcomings.